Documente Academic
Documente Profesional
Documente Cultură
Computer Security
In a PKC:
– The encryption and decryption keys are different.
– The decryption key cannot be deduced from the encryption key.
That is, keys come in pairs, (z, Z), where z is the private
and Z is the public component of the key.
Each pair of keys satisfies the following two
properties:
– A plaintext encrypted with Z can be decrypted with z. That is
z determines the inverse of the encryption with key Z.
– Given a public key Z it is computationally infeasible to
discover the corresponding decryption key z.
Alice ZA
Bob ZB
Fred ZF
Oscar ZO
…
…
If Bob wants to send a message X to Alice, he checks the public
directory to find Alice’s public key, and forms the following
cryptogram:
Y= EZA (X)
DzA(Y) = DzA(EZA(X))
=X
Assessing security in PK systems
a
iS
i T
In this system:
– Encryption is easy and requires n additions.
– Decryption is difficult, even if the key is known.
n
w 1
(wa )x (mod m)
i 1
i i
n
( w1wai )xi (mod m)
i 1
n
ai xi (mod m)
i 1
a. X
Brute force attack
For those who do not know the secret
trapdoor, decryption requires an exhaustive
search through all 2n possible X.
Example:
Earlier we had: a=(171,197,459,1191,2410)
Let w = 2550 and m = 8443.
b=(5457, 4213, 5316, 6013, 7439) is the
public cargo vector.
Multiple layers and the fall of knapsacks
The disguising process can be repeated a number of times on
the cargo vector to create more and more difficult knapsack
problems (w1, m1), (w2, m2),... . The result is, in general, not
equivalent to a single (w, m) transformation.
Adleman (1982) broke the knapsack cryptosystem by taking a
public cargo vector and finding a pair (w', m') that would
convert it back to a super-increasing cargo vector sufficient for
decrypting encrypted messages. It didn’t haven’t to be the
same one used as the private key.
Merkle was confident enough that the multiple layers were still
secure to offer a reward of $1000 to anyone who could break
a multiple layer knapsack.
In 1984, Brickell announced the destruction of a knapsack
system, with 40 iterations and a hundred weights (elements of
the cargo vector), in about one hour of Cray-1 time.
– Merkle gave him the money
Finding inverses:
The Extended Euclidean Algorithm
Initialisation:
a1 =1, b1=0
UPDATE: a2=0, b2=1
n1=n2
n2=r Compute quotient q
t=a2 and remainder r
a2=a1-q* a2 when n1 is divided by n2
g=n2
a1=t
No Yes a=a2
t=b2 r=0
b=b2
b2=b1-q*b2
b1=t
g, a, b
Find gcd(39,11) and a,b : 39a+11b=gcd(39,11)
n1 n2 r q a1 b1 a2 b2
Initialise
39 11 6 3 1 0 0 1
11 6 5 1 0 1 1 -3
6 5 1 1 1 -3 -1 4
5 1 0 5 -1 4 2 -7
gcd(39,11)=1 1=39*2+11*(-7)
Example: PKC using a trapdoor knapsack
• From these two facts, we can find for any composite n if the prime
factorization of n is known.
The Euler phi Function
(n) {x : 1 x n and gcd( x,n) 1}
• (2) = |{1}| = 1
• (3) =|{1,2}| = 2
• (4) = |{1,3}| = 2
• (5) = |{1,2,3,4}| = 4
• (6) = |{1,5}| = 2
• (37) = 36
• (21) = (3–1)×(7–1) = 2×6 = 12
The algorithm
1. Choose two primes p and q. Compute n = pq and
m=(n)= (p-1)(q-1).
• (n) is Euler’s totient function: It is the number of positive
integers less than n that are relatively prime to n.
2. Choose e, 1 e m - 1, such that gcd(e,m)=1.
3. Finds d such that ed=1 mod m.
• This is possible because of the choice of e.
• d is the multiplicative inverse of e modulo m and can be
found using the extended Euclidean (gcd) algorithm.
4. The Public key is (e, n).
The Private key is (d, p, q).
Encryption and decryption
Let X denote a plaintext block, and Y denote the
corresponding ciphertext block.
Let (zA, ZA) denote the private and public components of
Alice's key.
User (n,e)
Alice (85,23)
Bob (117,5)
Fred (4757,11)
An important property of the RSA algorithm is that
encryption and decryption are the same function:
both exponentiation modulo n.
EZA(DzA(X)) = X
Example:
– First decrypt: 213= 41 mod 143
– Then encrypt: 4137=2 mod 143
where Zn*={1,2,…,n-1}.
Example: n=7
23=1, 33=6, 43=1, 53=6, 63=6 G={1,6}
Lehman’s theorem:
If n is odd, G={1,n-1} if and only if n is prime.
Example: n=15 isn’t prime: (n-1)/2=7
27=8 mod 15, 37=12 mod 15
Precomputation:
X2=X*X
2
X = X =X2*X2
4 2 This is a total of n-1
… multiplications, all
n-1 n-2
X2 = X2 * X2
n-2
mod N
Example: N=1823, n=log21822=11.
– Calculate Y=5375 mod N
Precomputation:
X1 5 X2 25 X4 625
X8 503 X16 1435 X32 1058
X64 42 X128 1764 X256 1658
X512 1703 X1024 1639
Never store a number larger than N!
Never multiply two numbers large than N!
375=256+64+32+16+4+2+1.
5375=5*25*625*1435*1058*42*1658
= 591 mod 1823
There are various other tricks for calculating powers
too, but we aren’t going to look at them here!
A weakness in RSA
In RSA not all the messages are concealed,
i.e. the plaintext and ciphertext are the same.
Example: n=35=5*7, m=4*6.
X=8.
Y=85 mod 35=8
n = pq
(n) = (p-1)(q-1)
The enemy knows e1, e2, N, Y1 and Y2, and furthermore that
Y1= Xe1mod N and Y2=Xe2 mod N
C1 = m1e mod N
C2 = m2e mod N
C1C2 = m1e m2e = (m1m2)e mod N
An attack against RSA
Suppose m is l bits, m 2l.
Suppose m=m1m2 m1, m2 2l/2.
The attacker knows c=m1em2e mod N
… and builds a sorted database:
{1e, 2e, 3e,…,(2l/2)e} mod N
For a given c, the attacker searches the
database for c/ie=je mod N.
This will take at most 2l/2 steps.
The cost if 2l/2log N space is affordable is…
l / 21 l
O 2 * log N
3
2